---
layout: docs
page_title: Configure entropy augmentation
description: >-
  Configure entropy augmentation to sample entropy from external cryptographic
  modules when sealing Vault.
---

# Configure entropy augmentation

Entropy augmentation enables Vault to sample entropy from external cryptographic modules.
Sourcing external entropy is done by configuring a supported [Seal](/vault/docs/configuration/seal) type which
include: [PKCS11 seal](/vault/docs/configuration/seal/pkcs11), [AWS KMS](/vault/docs/configuration/seal/awskms), and
[Vault Transit](/vault/docs/configuration/seal/transit).
Vault Enterprises's external entropy support is activated by the presence of an `entropy "seal"`
block in Vault's configuration file.

~> **Note**: If using the Seal High Availability Beta, entropy will be retrieved
from seals in priority order, using bytes from the first available and online seal.

## Requirements

A valid Vault Enterprise license is required for Entropy Augmentation.

~> **Warning** This feature is not available with FIPS 140-2 Inside variants of Vault.

Additionally, the following software packages and enterprise modules are required for sourcing entropy
via the [PKCS11 seal](/vault/docs/configuration/seal/pkcs11):

- Vault Enterprise with the Plus package
- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or
  higher of PKCS#11. Depending on any given HSM, some functions (such as key
  generation) may have to be performed manually.
- The [GNU libltdl library](https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl)
  — ensure that it is installed for the correct architecture of your servers

## `entropy` example

This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration
file:

```hcl
seal "pkcs11" {
    ...
}

entropy "seal" {
    mode = "augmentation"
}
```

For a more detailed tutorial, visit the [HSM Entropy Challenge](/vault/tutorials/enterprise/hsm-entropy)
on HashiCorp's Learn website.

## `entropy augmentation` parameters

These parameters apply to the `entropy` stanza in the Vault configuration file:

- `mode` `(string: <required>)`: The mode determines which Vault operations requiring
  entropy will sample entropy from the external source. Currently, the only mode supported
  is `augmentation` which sources entropy for [Critical Security Parameters (CSPs)](/vault/docs/enterprise/entropy-augmentation#critical-security-parameters-csps).
- `seal_name` `(string: '')`: Specifies which seal (by name) in a   [Seal HA](/vault/docs/concepts/seal#seal-high-availability) setup to use to  source entropy. 
  By default, Vault sources entropy from the first available seal moving from lowest to highest priority.
